Feeds

Hang in there, Internet Explorer peeps: Gaping zero-day fix coming Tues

What a way to celebrate a DECADE of Patch Tuesday rollouts

SANS - Survey on application security programs

Microsoft is preparing to close a wide-open security hole in Internet Explorer - a vulnerability state-backed spies are exploiting to mine organisations across Asia.

A update to fix the flaw is among four critical patches Redmond has lined up for the October edition of Patch Tuesday, due next week. Versions 6 through to 11 of the web browser are known to be vulnerable.

The use-after-free bug in Internet Explorer [CVE-2013-3893] allows attackers to execute arbitrary code on a victim's computer; a mark simply has to surf to a web page booby-trapped with JavaScript that triggers the flaw.

In fact, the bug itself is quite an interesting case study: modern Windows kernels attempt to randomise the layout of software in memory and mark the areas containing just data as non-executable, which in theory is supposed to make life extremely difficult for hackers.

But the web page, in this case, can coax IE into loading a Microsoft Office library that snubs address space layout randomisation (ASLR). This sits in a known region of memory, allowing the attack code to initially hop around the library and use instructions within it to grant itself permission to execute its payload of code.

The attack code is packed into JavaScript strings, which sit in memory that Internet Explorer's MSHTML component accidentally uses when it really shouldn't: it tries to call a function pointer, but by that fatal moment, this pointer instead refers to an attacker-controlled part of memory rather than the expected friendly function.

Exploited since August

The vulnerability first came to public attention late last month when targets in Japan were attacked by miscreants exploiting this programming gaffe. Security biz FireEye published an alert about the infiltration attempts on 23 September, and claimed that assaults using the same bug in Microsoft's browser software started around 23 August.

Redmond had realised there was a problem, though not its seriousness, days before FireEye sounded the alarm. Microsoft published technical details and workarounds to defend against the flaw on 17 September.

Security researchers have since linked the same CVE-2013-3893 bug to multiple attacks by various state-sponsored hacking crews against targets in Taiwan and elsewhere in the Far East. In this context the patch for Internet Explorer versions 6 to 11, due to arrive next Tuesday, can't come a day too soon.

October 2013 marks the tenth anniversary of Microsoft’s regular security patch rollouts, Patch Tuesday. Alongside the critical IE update, the world'll get three similarly critical security fixes for Windows that affect the vast majority of deployed platforms except Windows Server 2012 R2 and Windows RT 8.1. Everything from Windows XP up to and including Windows 8 and Windows RT will need patching.

Redmond's security gnomes are also fuelling up four lower severity security bulletins, all rated as "important". Microsoft Office, Microsoft Silverlight 5 and Redmond's Sharepoint portal server software will all need patching as a result of security fixes due to arrive on 8 October.

More details will be released once the updates are deployed next week. In the meantime, Microsoft's pre-release notice provides more details of the affected software packages.

Wolfgang Kandek, CTO of Qualys, commented: "The recent [Internet Explorer] 0-day ... is certainly the top-priority patch for next week and it affects all versions of Internet Explorer from 6 to 11. Fortunately, attack volume using this vulnerability has continued to be low and this has given Microsoft the opportunity to do a full test cycle on all possible combinations of operating systems and target sites."

Adobe - fresh from warning about a compromise on its website that might have exposed the IDs, password hashes, and encrypted credit card information of nearly three million customers - separately announced plans to deliver a solitary patch for Acrobat 11.0.4 and PDF Reader 11.0.4 on Windows. More details can be found in Adobe's advisory here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.